By Patrick McCallum, left, and Claire Halle-Smith, right, Wright Hassall
In May, Meta (the owner of Facebook, WhatsApp and Instagram) was fined €1.2billion by the Irish Data Protection Commission for breaches of data protection legislation. When stories like this make the news, it can be tempting for SMEs to dismiss data protection compliance as something they don’t need to worry about or, at most, adopt a “tick box” approach to, whilst regulators seemingly focus all their attention on major international businesses in order to pursue headline-grabbing fines.
However, SMEs would do well to note that it is exactly this laid-back approach that got Meta into hot water in this latest case, with the implications of the decision having a potentially significant and far reaching impact on SMEs and larger businesses alike.
What did Meta do wrong to incur such a large fine?
Meta was transferring personal data from Ireland to a US entity. Under the GDPR, the US is not deemed to have adequate GDPR-equivalent laws in place. This meant that if Meta wanted to transfer personal data to a company in the US, it needed to:
- insert EU-approved “standard contractual clauses” (SCCs) into its contract with the US entity;
- conduct a risk assessment on the US entity, in order to determine its ability to comply with the GDPR; and
- put in place additional practical safeguards, to ensure the US entity complied with the GDPR.
It was determined that Meta relied too heavily on having the SCCs in place as sufficient grounds to lawfully transfer data to the US entity, with not enough attention being paid to the actual safeguards that the US entity needed to implement in order to achieve this.
This resulted in Meta not being able to “guarantee a level of protection to data subjects that is essentially equivalent to that provided by [the GDPR]”.
The implication of this decision is to:
- re-emphasise that businesses cannot simply rely on having all the necessary paperwork in place to lawfully transfer personal data to the US; and
- impose a much higher standard on what is expected of businesses when assessing, on a practical level, the ability of a US entity to comply with the GDPR and what measures need to be put in place to achieve this.
Why do UK-US data transfers attract so much attention from data regulators?
Despite the extent to which US entities work with UK and EU businesses, the US data protection regime is not deemed to provide GDPR-equivalent protection for individuals.
Furthermore, the US is not traditionally seen as a “red flag” country for UK and EU businesses to work with.
This, coupled with a general indifference to data protection compliance, often means that businesses will not always adopt a particularly thorough approach to ensuring their US partners have the appropriate safeguards in place in order to enable them to securely process UK or EU personal data.
The combination of these factors means that personal data can be at risk when being transferred to the US, hence why data regulators always treat the transfer of personal data from the UK or the EU to the US with considerable caution and scrutiny.
Is this relevant to SMEs?
Many SMEs have commercial relationships with US entities that involve the transfer of personal data. This could be by virtue of employing US staff who operate remotely, having US customers, using US software and/or IT systems or engaging US suppliers or subcontractors.
Whenever SMEs send personal data to the US, share personal data with the US or simply allow US entities access to personal data (even if that access is purely hypothetical or limited in nature), this constitutes a transfer of personal data to the US, which the SME needs to ensure is compliant with data protection law.
What impact could this decision have on SMEs?
This case demonstrates that regulators will not accept the “tick box” approach that many SMEs take to overseas data transfers.
SMEs who have not taken, or do not take, sufficient steps to ensure that adequate measures are in place to enable them to securely transfer data overseas in a way that complies with data protection laws run the risk of enforcement action being taken against them. This could result in:
- restrictions being imposed on who SMEs can share data with, forcing them to sever ties with key overseas business partners;
- major disruption to the day-to-day running of SMEs, by virtue of them no longer being able to use vital overseas software or services;
- SMEs incurring significant time and expense onboarding alternative service providers based in countries that are deemed “adequate” under data protection laws; and
- large fines being levied against SMEs.
What steps should SMEs be taking to ensure they are lawfully transferring personal data overseas?
To ensure they are transferring personal data overseas in a way that complies with data protection laws, SMEs should be:
- reviewing data flows to identify any data transfers to countries not deemed to have “adequate” data protection measures in place (whether that be the US or any other country);
- re-assessing how they decided that any overseas data transfers they carry out were compliant with data protection laws;
- getting the right contracts in place with overseas entities – in the UK, this means some form of data processing agreement which incorporates an International Data Transfer Agreement (IDTA) (this is the UK equivalent of the EU’s SCCs);
- undertaking a risk assessment of the overseas entity they are transferring data to;
- implementing practical measures with those overseas entities to ensure data is transferred securely; and
- considering alternative providers in the UK/EU where such measures do not need to be taken.
If you are an SME that wants help with any of the above, you can speak to a member of Wright Hassall’s Data Protection team here https://www.wrighthassall.co.uk/expertise/gdpr#Our%20people